web
You’re offline. This is a read only version of the page.
close

Corporate Governance

Contents

Acceptable Use Policy

View the acceptable use and password policy (PDF, 139KB)

Application of Policy

All users of corporate digital devices and systems including but not limited to laptops, tablets and mobile smart phones and/or those that have access to a corporate Microsoft 365 email account/address provided by Colchester City Council (CCC), Colchester Borough Homes, Colchester Commercial Holdings Ltd. All employees, elected members, contractors, volunteers, vendors, apprentices, student/work experience placements and other partner agencies must be aware of these policy statements and are bound by the responsibilities it places upon them. Colchester City Council commits to informing all employees, members, voluntary workers, agency staff, contractors, Councillors and other third parties of their obligations. Other organisations, and their users, granted access to technology managed by the Colchester City Council must abide by this policy.

It is the responsibility of all employees to ensure that access to systems, the Council’s network, documents and data are secured. Passwords must be kept safe and personal to the specific user. In addition, we all have a responsibility to ensure that devices and applications are used appropriately and that the behaviour of any person’s use of Digital Team solutions does not bring the Council into disrepute. These measures should be upheld regardless of work location.

Access to Digital Systems

  • You must not leave user accounts logged in at an unattended and unlocked device.
  • You must not attempt to access data or systems that you are not authorised to use or access.
  • You must not download, install, access, or modify applications, systems or data without authorisation.
  • You must maintain the security of information as defined in the Data Protection Policies.
  • You must not access other people’s devices or use their Microsoft 365 or application login credentials.
  • You must not forward CCC emails to your own personal or work email accounts.
  • You must not use any tool or rule to auto-forward any email sent to your CCC account, unless part of a specific pre-defined business process, which has been pre-approved by Digital.
  • If you receive or view email or other content not intended for you, you have a legal obligation to take reasonable steps to protect confidentiality contained therein.
  • You must take care when replying or forwarding emails to ensure that only authorised individuals are included and any email history in the chain or attachments are suitable to share with that individual(s).
  • Corporate email accounts must not be used for personal correspondence or non-Council business. All email use should be for Council-related activities, in line with the Council’s Acceptable Use Policy.
  • The Corporate email platform (Microsoft 365 mailboxes both individual and shared mailboxes) should not be used as file systems; important content or correspondence should be saved into SharePoint or an alternate document management system.

Password

  • You must not share or allow anyone else to use your username and password for any Digital system.
  • Password complexity requirements may change due to external risk and threat; you will change your password when requested.
  • You will not write down or store your CCC password on paper, or in any electronic device.
  • You must ensure that each of your accounts uses a unique password.
  • You must not disclose your password to anyone or ask anyone else for their password. If you suspect your password has become known to anyone else, change it immediately and report it to the Digital Team.
  • You must not use someone else’s username and password to access any IT systems.
  • Passwords must meet the requirements of the Council’s Password Policy; note, this is subject to change in response to National Security Risk Elevations.
  • All CCC devices must be password protected (or alternately protected by other appropriate Digital Team approved means such as fingerprint or PIN).

Behaviour and Use

  • You must lock your device by using Windows key + L whenever you leave your device unattended, regardless of your location.
  • You must not participate in unlawful, libellous, immoral, or offensive activities, including accessing, downloading, storing, creating, copying or disseminating offensive material. This includes the use of social media and is not limited to material of a pornographic, sexual, violent, criminal, racist, sexist, or otherwise discriminatory nature. Further, you must not use the systems to perpetrate any form of fraud or piracy.
  • You must not publish a website, or any content on a website, that could bring the Council into disrepute. This includes publishing defamatory or knowingly false material about the organisation, colleagues, or customers in any online publishing format.
  • Colchester City Council facilities and identity must not be used for commercial purposes outside the authority or remit of the Council, or for personal financial gain.
  • You must not use the internet or email to make personal gains or conduct a personal business.
  • You must not use the internet or email to gamble.
  • You must not bring the Council into disrepute through use of online social networking activities.
  • You must report faults with Digital systems or equipment to the Digital Team and co‑operate with fault diagnosis and resolution.
  • If you use CCC technology or CCC internet provision for personal use, the Council takes no responsibility for the security of your personal information. It is recommended you do not carry out personal financial transactions.
  • When working remotely, ensure Council devices are kept secure and not left unattended or visible in public places or vehicles.
  • Access to Council systems from outside the UK requires prior approval from the Data Protection Officer and must be via a Council‑approved device.

Devices

  • You must not connect any non-authorised device to your CCC device, the corporate network, or corporate digital systems. This includes but is not limited to external hard drives, thumb drives, and flash drives.
  • The use of USB‑controlled peripherals such as screens, keyboards, mice, cameras and headphones/headsets are permitted.
  • The use of a VPN (Virtual Private Network) is not permitted unless via prior agreement of the Council’s DPO and Head of Digital in exceptional circumstances. Use of a VPN without authorisation will result in the access being blocked.
  • If you have a business case to support the need to print at home from a corporate device, this will need to be approved by the Council’s Data Protection Officer and Head of Digital.
  • Authorised devices are only those issued, managed and approved by Digital.
  • You must not store any Council data on any non‑authorised equipment.
  • In order to comply with Data Protection legislation, all Council communications must only be made using Council‑approved applications and devices.

Bring Your Own Device (BYOD)

  • Access to Council Systems via a personal device is limited to Microsoft 365 applications only (Outlook, Teams, Excel, Word, OneDrive, SharePoint and Microsoft Teams) and functionality is restricted.
  • Access to your Corporate Microsoft 365 account and any third‑party systems must be secured via Multifactor Authentication.
  • Access to the Microsoft 365 applications is only permitted through the web versions. You can use the web versions to create, send and reply to Outlook emails and participate in Teams chats, meetings and calls.
  • Printing any data from a personal device is prohibited; this includes taking screenshots.
  • Downloading of any Corporate data to any non‑corporate device is prohibited; this includes copying and pasting from and to your personal device to corporate systems, and taking screenshots.
  • Access to core line‑of‑business applications linked to your Microsoft login should not be performed from personal devices. The downloading of documents or data from those systems to personal devices is prohibited, the only exception being the MySelf – iTrent HR platform.
  • You are permitted to create, edit and save existing documents to OneDrive, SharePoint and Microsoft Teams.
  • Personal devices should only be connected to the GUEST Wi‑Fi and not those designated for Staff‑only use.

Storage

  • You must not give or transfer data or software to any person or organisation without a data sharing agreement and a completed Data Protection Impact Assessment (DPIA) approved by the Data Protection Officer.
  • Documents must not be stored locally (for example, on the C:\ drive) on a desktop computer, laptop or mobile phone, as information may be irretrievable if the device fails or is stolen.
  • The use of mobile devices such as memory sticks, CDs, DVDs, and removable hard drives is prohibited.
  • The use of USB drives is prohibited for the storage of any corporate data. If there is a legitimate business need, a corporate encrypted USB device will be provided, subject to approval by the DPO, Head of Digital and the SIRO.

Security and Licensing

  • You must not attempt to disable or bypass anti‑virus, malware or other information security controls, and you should take care not to introduce viruses or malware.
  • If you discover a virus or malware, you must notify the Digital Team immediately and disconnect the device from any network.
  • You must not expose the Council to risk by clicking on links or opening suspicious attachments in phishing or scam emails.
  • You must not use the email systems in a way that could affect their reliability or effectiveness, for example, distributing chain letters or spam.
  • You must only use software that is appropriately licensed to the Council and materials that are not copyrighted or for which you have been granted permission to use. The downloading and use of any non‑approved software or application is not permitted.
  • You will need to undertake and pass mandated cyber security training before accessing Council Systems and Devices. This training is repeated and updated annually.
  • New starters (employees and contractors) will need to undertake and pass mandated Cyber Security training before being provided access to Council Systems; this includes newly elected members.

Working Remotely

  • Working away from the office must be in accordance with Colchester City Council’s remote working policy.
  • Equipment and media taken off‑site must not be left unattended in public places and must not be left in clear view in a vehicle.
  • Corporate devices must not be left in a vehicle overnight or for any prolonged period.
  • Laptops must be carried as hand luggage when travelling.
  • Information and equipment must be protected against loss or compromise when working remotely.

Working Abroad

  • Access to Colchester systems, including Microsoft 365 accounts, is blocked by default from non‑UK locations.
  • Working outside of the UK first requires line manager, HR and Digital approval. Tickets must be logged in advance of travel with ICT.
  • Members must log a ticket in advance but do not require HR or line manager approval and self‑certify in this respect.
  • Working outside of the UK is only approved for travel locations deemed safe and compliant by the DPO and ICT (based on ICO and NCSC guidance). The approved countries list is reviewed annually and may change without notice based on geopolitical events and cyber risk.
  • Only corporate‑approved devices will be permitted when outside of the UK.
  • Staff who use corporate accounts on BYOD devices should ensure their Microsoft 365 accounts are signed out or removed before travel to prevent false alerts being raised.

Use of SharePoint / Microsoft Teams

  • You must not purposely engage in activity that may deprive an authorised user of access to a SharePoint or Microsoft Teams resource.
  • Activity on SharePoint and Microsoft Teams may be monitored and audited to ensure compliance with Council policies.
  • You must not circumvent SharePoint or Microsoft Teams security measures.
  • All staff must maintain the supported infrastructure setup by filing documents using Properties or the Details menu, and must not create folders within folders.
  • Site owners are responsible for managing their SharePoint / Microsoft Teams areas and are accountable for their actions.
  • Site owners are responsible for the custody and operation of their sites and must ensure proper authorisation of user access.
  • Confidential or potentially sensitive data stored in SharePoint / Microsoft Teams must be kept confidential and secure.
  • You must ensure that permissions to document libraries are correctly set and maintained to ensure information security.
  • Site owners should review permissions on their sites at least annually.
  • You must ensure that private or personal documents are secured appropriately.
  • Data may be shared with external people/organisations using the External Sharing site where there is a justified business need. All documents must be removed once the need to share has expired. Special category data must only be shared with appropriate SharePoint / Microsoft Teams permission configurations in place.

Use of OneDrive

  • OneDrive must not be used as a replacement for the corporate shared document repository, SharePoint / Microsoft Teams.
  • OneDrive documents must not be kept for longer than necessary.
  • If you share a OneDrive document with another user, it is your responsibility to ensure the sharing is done securely, appropriately, and ideally only for a limited duration.
  • The sharing of documents externally must not be performed using open “Anyone” links; access must only be granted to listed, trusted recipients.

Use of Microsoft Teams

  • Personal data should not be shared via Teams messaging.
  • Any data in Microsoft Teams — including sites, chats, or meeting chat threads — is subject to Freedom of Information Requests, Environmental Information Requests, and Subject Access Requests.
  • All users must ensure that document permissions are set appropriately.
  • All users must ensure that retention periods for documents are applied in accordance with the retention policy and retention schedule.
  • All users must ensure that only permitted participants are added to Teams channels, chats, meeting chats and meetings.
  • Care should be taken when screen sharing and/or recording a meeting to ensure no personal data is disclosed inappropriately. Permission should be obtained from all attendees before recording.
  • Ensure that when making video calls, your environment and any backgrounds used are appropriate for business use.
  • The addition of external identities to corporate Teams sites must only occur after ICT approval.
  • Only corporate‑approved AI tools (e.g., Copilot) should be used and allowed into corporate Teams meetings.
  • Corporate Teams meetings must only be attended using corporate Microsoft 365 identities, not personal ones. This requirement also applies to Members.
  • When attending third‑party hosted Teams meetings, caution must be taken when discussing personal, private or confidential council matters, as the meeting may be recorded or stored in another organisation’s Microsoft tenant. Third‑party AI tools may also be used to analyse or store meeting content.

Mobile / Smart Phones and Tablets

  • Requests for a mobile phone will be subject to a valid business case and management authorisation.
  • To prevent unauthorised access, devices must be password‑protected using the device’s built‑in features, and a strong password is required to access the network (see the Password Policy).
  • Work mobile phones are issued primarily for business purposes. Personal calls and text messaging are prohibited unless in exceptional circumstances.
  • Any data on a work mobile may be subject to Freedom of Information Requests, Environmental Information Requests, and Subject Access Requests.
  • Employees are expected to use the internet responsibly and productively. Excessive personal browsing, including use of social media, is not permitted.
  • Corporate mobile phones should connect to secure Wi‑Fi networks where possible to avoid excessive data usage.
  • Use of a mobile phone hotspot should be limited to exceptional circumstances. Mobile data usage is monitored, and consistent excessive use may result in suspension of service.
  • Calls to premium rate numbers are not permitted.
  • Calls to overseas numbers must be made via Microsoft Teams. This functionality can be enabled for laptops and corporate smartphones with an approved business case from a Senior Leadership Team member and the Data Protection Officer.
  • You must not use Colchester City Council mobile devices to conduct private business.
  • Personal accounts and personal social media accounts must not be added to a corporate mobile phone.
  • Mobile devices must not be used to store or transmit illicit materials or to harass others.
  • When driving, staff must comply with the Council’s Vehicle User Handbook and Regulation 110 of the Road Vehicles (Construction and Use) Regulations (as amended March 2022), which prohibits the use of handheld mobile devices at all times.
  • If your mobile device use is deemed unacceptable, the plan may be cancelled and the device recalled.
  • Lost or stolen devices must be reported to the Digital Team Helpdesk immediately, and the incident must also be logged through the Data Protection Breach reporting system.

When an Employee or Elected Member Leaves

  • It is the responsibility of the line manager, Democratic Services, and the Head of Service / Monitoring Officer to ensure the Digital Team is notified of any leavers or changes to staff roles (including permanent, temporary and casual roles) so that access can be terminated or amended appropriately.
  • All Digital equipment, devices and data remain the property of Colchester City Council and must be returned upon request or in accordance with the leavers process.

Password Complexity Requirements

Passwords must meet complexity requirement settings. These settings determine whether passwords must meet a series of guidelines considered important for a strong password.

Complexity requirements are enforced when passwords are changed or created.

Requirements

  • Passwords may not contain the user's Account Name value or entire Full Name (checks are not case sensitive).
  • Current National Cyber Security Centre (NCSC) guidance recommends using three random words to create a strong, memorable password. Numbers and symbols may be used if needed, for example: Red-House-Monkeys-27.
  • Use creative, memorable words that others cannot easily guess. Avoid using information visible on social media.
  • For help generating a password, you may use: https://www.correcthorsebatterystaple.net/.
  • It is recommended to use at least 3 words and a minimum of 15 characters.
  • If unsure, contact the Digital Service Desk for guidance.

Never use the following personal details for your password:

  • Current partner’s name
  • Children’s names
  • Other family members’ names
  • Pet’s names
  • Place of birth
  • Favourite holiday
  • Anything related to your favourite sporting team

With Multi‑Factor Authentication (MFA) and biometric fingerprint readers on laptops, the need to regularly change passwords has been removed, based on NCSC guidance.

Digital reserves the right to force all users to change their passwords should the need arise.

Passwords must not be shared with anyone, and passwords should differ completely across systems and accounts.

Password System Settings

The following system settings relate to passwords:

  • The user’s previous 12 passwords are remembered.
  • Minimum password length is 8 characters (though a minimum of 15 is encouraged).
  • Password complexity requirements are enabled.
  • In the event of increased national risk (GCHQ, NCSC, Cabinet Office), tactical password changes may be implemented in real time based on national security guidance.

Monitoring

The Council reserves the right to examine any system or device used for Council business and to inspect any data held on it.

To ensure compliance, internet and network traffic, emails, and visited sites may be monitored. Specific content is not monitored unless there is suspicion of improper use or breach of this policy.

Employees must report any suspected breaches of this policy immediately to their line management and the Digital Team.

Compliance is monitored and all breaches will be investigated. Misconduct may lead to disciplinary action in line with Council procedures.

Access to Council systems and devices may be suspended. Digital reserves the right to withdraw a user’s access to any computer systems or communication services without notice, where necessary to protect the organisation.

The Council will take appropriate measures to address any breach. For employees, the issue may be handled under the disciplinary process. For Councillors, the Councillor Code of Conduct applies.

Policy Review

In the event of increased risk (as defined by GCHQ, NCSC or Cabinet Office), tactical changes may be introduced in real time based on national security recommendations. This policy will be reviewed and updated accordingly.

The policy will be reviewed annually and updated as needed.

Page last reviewed: 20 June 2025